The people who have set up CPAN mirrors are donating their bandwidth and storage. If we started uploading binaries (be it PPM or .par's) of all CPAN modules for all versions of perl and for several OS's, the size of the CPAN archive would explode. That might or rather will be considered abuse.

A further issue is that the distribution of binaries from untrusted sources is a major security issue. Suppose anybody could upload a binary for any module. Madness!

Reason for this lies in the nature of those binaries: They're binary builds of PAR (now PAR::Packer) for win32 only. Mainly, this is because PAR has itself traits of a package manager and providing a binary can mean the user does not need to do fancy bootstrapping to get it to work. This has been relaxed now that PAR was split into two distributions, however. The other reason is that Win32 is one of the major user platforms for PAR and doesn't always come with a C compiler. Furthermore, the security issue is sort of minimized by that those packages are always by the same CPAN user as the release manager for PAR itself.

That being said: Why upload PPM's to CPAN which can only reasonably be used with a single specific distribution of perl? (ActivePerl)Instead, you could use .par archives and provide support for auto-installing them if no compiler was found. This works well with PAR right now.

There are currently no less than 15 versions of the latter being mirrored. Loosing two of those old versions (to say backpan) would allow 3 versions of the PPM to be held without creating any extra demand on the mirrors.

the distribution of binaries from untrusted sources is a major security issue.

Do you inspect every line of every source file in each package you install? What about all the .t files? Does anyone?

Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.

There is a pervasive logical disconnect here that says source is safe and binary not. But pervasive does not mean correct. Any and all software sourced from outside your organisation is potentially dangerous. And the idea that all the risks are negated by the potential for visual inspection, even if anyone actually did that--which they don't--is so profoundly wrong, that the idea itself, and those that expound it, should be actively and vigorously countered at every opportunity.

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

Addressing your remark about special cases: It wasn't me who started doing those binary releases of PAR. I just became responsible for the PAR releases and continued ongoing practice.

Whether 15 versions of Template::Toolkit should be supplied via CPAN is an entirely different question than whether we should add various PPM packages per distribution.

Furthermore, I do know organizations who only allow thoroughly inspected code to be used. But that doesn't matter. It's a question of principle.

Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.

That's ridiculous. Disassemble shared libraries? I don't think so. Also, you suggested that anybody should be able to upload PPMs for any modules.